reachableceo
2b422cf62c
Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08, M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes. Changes: - run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07), add module.sig_enforce to Docker-embedded UKI (H-08) - usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05), restrict dmask/fmask, add input validation, add audit logging (M-08) - security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01), remove sshd_config generation (H-02), expand WiFi blacklist (M-12) - firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port range to 51820 only (M-05) - firewall-setup.sh (src): Add ct state established,related (H-03) - security-hardening.sh (src): Fix apply_security_hardening to call configure_ssh_client and configure_fim with separate output paths (M-01) - install-scripts.sh: Remove football from sudo group (M-02) - mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened even without existing fstab entries (M-07) - encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic LUKS device discovery (H-06), fix recovery key generation (M-04), fix crypttab sed pattern - qr-code-import.sh: Restrict temp file permissions (H-04) - Tests updated to match new security posture All 786+ tests pass. Zero shellcheck warnings. Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through H-08, M-01, M-02, M-05, M-07, M-08, M-12 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
141 lines
4.9 KiB
Bash
141 lines
4.9 KiB
Bash
#!/usr/bin/env bats
|
|
# KNEL-Football Unit Tests - Firewall Setup
|
|
# Reference: PRD.md FR-004 (Network Isolation)
|
|
# Copyright © 2026 Known Element Enterprises LLC
|
|
# License: GNU Affero General Public License v3.0 only
|
|
|
|
# =============================================================================
|
|
# File Existence and Properties
|
|
# =============================================================================
|
|
|
|
@test "firewall-setup.sh exists" {
|
|
[ -f "/workspace/src/firewall-setup.sh" ]
|
|
}
|
|
|
|
@test "firewall-setup.sh is executable" {
|
|
[ -x "/workspace/src/firewall-setup.sh" ]
|
|
}
|
|
|
|
@test "firewall-setup.sh is a valid bash script" {
|
|
run bash -n /workspace/src/firewall-setup.sh
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "firewall-setup.sh uses strict mode" {
|
|
grep -q "set -euo pipefail" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
# =============================================================================
|
|
# WireGuard Endpoint Parsing
|
|
# =============================================================================
|
|
|
|
@test "firewall-setup.sh has parse_wg_endpoint function" {
|
|
grep -q "parse_wg_endpoint()" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
@test "firewall-setup.sh parses Endpoint from WireGuard config" {
|
|
grep -q "Endpoint" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
@test "firewall-setup.sh handles missing WireGuard config" {
|
|
grep -q "WireGuard config not found" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
# =============================================================================
|
|
# nftables Rule Generation
|
|
# =============================================================================
|
|
|
|
@test "firewall-setup.sh has generate_nftables_rules function" {
|
|
grep -q "generate_nftables_rules()" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
@test "firewall-setup.sh generates nftables rules" {
|
|
grep -q "nft" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
@test "firewall-setup.sh creates inet filter table" {
|
|
grep -q "table inet filter" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
@test "firewall-setup.sh sets default drop policy on input" {
|
|
grep -q "chain input" /workspace/src/firewall-setup.sh
|
|
grep -A 5 "chain input" /workspace/src/firewall-setup.sh | grep -q "policy drop"
|
|
}
|
|
|
|
@test "firewall-setup.sh sets default drop policy on forward" {
|
|
grep -q "chain forward" /workspace/src/firewall-setup.sh
|
|
grep -A 3 "chain forward" /workspace/src/firewall-setup.sh | grep -q "policy drop"
|
|
}
|
|
|
|
@test "firewall-setup.sh sets default drop policy on output" {
|
|
grep -q "chain output" /workspace/src/firewall-setup.sh
|
|
grep -A 5 "chain output" /workspace/src/firewall-setup.sh | grep -q "policy drop"
|
|
}
|
|
|
|
@test "firewall-setup.sh accepts loopback traffic" {
|
|
grep -q "iif lo accept" /workspace/src/firewall-setup.sh
|
|
grep -q "oif lo accept" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
@test "firewall-setup.sh blocks ICMP ping (security hardening)" {
|
|
! grep -q "icmp type echo-request accept" /workspace/src/firewall-setup.sh
|
|
grep -q "destination-unreachable" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
@test "firewall-setup.sh allows WireGuard traffic" {
|
|
grep -q "udp dport" /workspace/src/firewall-setup.sh
|
|
grep -q "WireGuard" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
# =============================================================================
|
|
# Apply Firewall Function
|
|
# =============================================================================
|
|
|
|
@test "firewall-setup.sh has apply_firewall function" {
|
|
grep -q "apply_firewall()" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
@test "firewall-setup.sh writes to /etc/nftables.conf" {
|
|
grep -q "/etc/nftables.conf" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
@test "firewall-setup.sh enables nftables service" {
|
|
grep -q "systemctl enable nftables" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
@test "firewall-setup.sh restarts nftables service" {
|
|
grep -q "systemctl restart nftables" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
@test "firewall-setup.sh handles missing endpoint gracefully" {
|
|
grep -q "default deny policy" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
# =============================================================================
|
|
# Main Function
|
|
# =============================================================================
|
|
|
|
@test "firewall-setup.sh has main function" {
|
|
grep -q "main()" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
@test "firewall-setup.sh calls main when executed directly" {
|
|
grep -q 'BASH_SOURCE\[0\]' /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
# =============================================================================
|
|
# Security Properties
|
|
# =============================================================================
|
|
|
|
@test "firewall-setup.sh flushes existing ruleset" {
|
|
grep -q "flush ruleset" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
@test "firewall-setup.sh uses WireGuard endpoint IP for allow rule" {
|
|
grep -q "ip daddr" /workspace/src/firewall-setup.sh
|
|
}
|
|
|
|
@test "firewall-setup.sh uses WireGuard endpoint port for allow rule" {
|
|
grep -q "udp dport" /workspace/src/firewall-setup.sh
|
|
}
|